AD account locking out

whitelightrider · 17-02-2009 4:01pm #1

Folks,

I have a user here logging into a Windows 2003 server. At least once a day she will get locked out of her account for no reason. I have reset her password, set it to never expire, etc and it still happens. Cant seem to figure this one out.

Capt'n Midnight · 17-02-2009 9:23pm

is there something trying to access the server with a stored password , maybe IE ?

is dns working ok in case she can't see the logonserverf

what are the lockouts set to / how long are they for

check security in eventviewer on client and domain controller in case clues there

CiaranC · 17-02-2009 9:25pm

A lot of the new viruses are using $Admin shares to propagate. They try to authenticate against the server with a password list etc. Particularly Downadup. Maybe check that out.

whitelightrider · 18-02-2009 9:30am

Account lockouts are set to 3 attempts. Ive checked the logs on the server and on the client and theyre not showing anything regarding unauthorised attempts.

KTRIC · 18-02-2009 9:36am

Do you have MS Communicator on the clients ?

Sleipnir · 18-02-2009 9:41am

Could she be logged in to another machine?

whitelightrider · 18-02-2009 9:52am

Dont have MS Communicator.

She logs into her local PC and then uses Citrix to login to the servers in Dublin. I have synched her password in both places, recreated her Citrix profile in case that was corrupt, swapped out the PC in case that was the problem. But its still happening.

Sleipnir · 18-02-2009 9:57am

I get this a lot with people who are logged into some other machine somewhere on the network that they've forgotten about. Never really looked into it much to be honest but usually when I find the other machine and log them out it's okay.

I usually use Hyena to find the other machine but you might be able to find it using psloggedon from PStools. http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

I know how much a pain the ass this is so I'm watching for all other suggestions!

Sleipnir · 18-02-2009 2:11pm

ANy joy OP?

testicle · 23-02-2009 2:53pm

Any services/scheduled tasks running as that user?

NullZer0 · 11-03-2009 2:38am

Sleipnir wrote: »

Could she be logged in to another machine?

Thats what I would think too.
Stored passwords?

joe_elway · 12-03-2009 10:58am

use the "user account lockout tools" (free download) to ID exactly when and where (what DC) the lockout takes place. Then use that info to check the security log. That'll tell you what machine this takes place on and exactly when it happened.

In tha past, this normally happened to me/team members when they failed to log our of a server (RDP access) and disconnected instead. They'd stay logged in. They'd change their password according to policy and the disconnected session would then start to fail to login to mapped resources. That'd lock them out. Resetting that session using the above troubleshooting would sort things out.

Could also be a negligent admin using their own credentials to start a service. ID the trouble machine (above) and then check services logon credentials in the services MMC. Follow that up with a stick across the knuckles and a lesson on security.

AD account locking out

Comments